One CPA's thoughts on critical issues and opportunities facing the profession.

Prioritizing Risk

COSO is updating their enterprise risk management framework. The updated framework includes five components and 20 principles. More information on the COSO ERM framework can be found at the COSO website. In this blog I want to focus on prioritizing risks, which is part of the performance component of risk management. Potential criteria for prioritizing risk include:

Severity

Adaptability

Complexity

Velocity

Persistence

Recovery

I think most companies who have moved along the scale of implementing risk management practices think about these criteria when they do the initial risk assessment on new products or changed business practices. Where we all fall down is on updating or reassessing our risk priorities as the world changes around us.

Let’s take a recent example. I’m sure United Airlines had really thought about the different risks related to customer service, overselling planes and the need to move crews around. As a company they thought about the severity of canceling a flight because a crew was not available, of having to deny a passenger a seat because the flight was oversold, and what to do to get customers to volunteer to avoid the real negative of destroying a customer relationship.

I’m guessing, however, that they had not updated that risk assessment for the increase in velocity of negative customer experiences. A decade ago, such experiences would be communicated to family and friends and maybe even impact a company’s decision on using a vendor. Five years ago such experiences might be reported in words via Yelp or other online avenues, but at least you still had some time to react. Today, videos, maybe incomplete and biased, are posted and can go viral in minutes. As we all know now, the velocity of bad customer experiences is very different today than just a couple of years ago, and United had not adjusted its risk prioritization to account for that change.

The bottom line is that all aspects of risk management are never “done.” Even if your business, products, suppliers and employees have not changed, the world around you has changed and you need to think about how that changing world has changed the risks your company faces and how you prioritize and react to them.